| Message ID | 20210825025009.2081060-1-stevensd@google.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | KVM: allow mapping non-refcounted pages | expand |
Is there any feedback on these patches? CVE-2021-22543 was fixed by disallowing mapping of non-refcounted memory. These patches add proper support for mapping that type of memory. -David On Wed, Aug 25, 2021 at 11:50 AM David Stevens <stevensd@chromium.org> wrote: > > From: David Stevens <stevensd@chromium.org> > > This patch series adds support for mapping non-refcount VM_IO and > VM_PFNMAP memory into the guest. > > Currently, the gfn_to_pfn functions require being able to pin the target > pfn, so they will fail if the pfn returned by follow_pte isn't a > ref-counted page. However, the KVM secondary MMUs do not require that > the pfn be pinned, since they are integrated with the mmu notifier API. > This series adds a new set of gfn_to_pfn_page functions which parallel > the gfn_to_pfn functions but do not pin the pfn. The new functions > return the page from gup if it was present, so callers can use it and > call put_page when done. > > The gfn_to_pfn functions should be depreciated, since as they are unsafe > due to relying on trying to obtain a struct page from a pfn returned by > follow_pte. I added new functions instead of simply adding another > optional parameter to the existing functions to make it easier to track > down users of the deprecated functions. > > This series updates x86 and arm64 secondary MMUs to the new API. > > v2 -> v3: > - rebase on kvm next branch > v1 -> v2: > - Introduce new gfn_to_pfn_page functions instead of modifying the > behavior of existing gfn_to_pfn functions, to make the change less > invasive. > - Drop changes to mmu_audit.c > - Include Nicholas Piggin's patch to avoid corrupting refcount in the > follow_pte case, and use it in depreciated gfn_to_pfn functions. > - Rebase on kvm/next > > David Stevens (4): > KVM: mmu: introduce new gfn_to_pfn_page functions > KVM: x86/mmu: use gfn_to_pfn_page > KVM: arm64/mmu: use gfn_to_pfn_page > KVM: mmu: remove over-aggressive warnings > > arch/arm64/kvm/mmu.c | 26 +++-- > arch/x86/kvm/mmu/mmu.c | 50 +++++---- > arch/x86/kvm/mmu/mmu_internal.h | 3 +- > arch/x86/kvm/mmu/paging_tmpl.h | 23 ++-- > arch/x86/kvm/mmu/tdp_mmu.c | 6 +- > arch/x86/kvm/mmu/tdp_mmu.h | 4 +- > arch/x86/kvm/x86.c | 6 +- > include/linux/kvm_host.h | 17 +++ > virt/kvm/kvm_main.c | 188 +++++++++++++++++++++++--------- > 9 files changed, 220 insertions(+), 103 deletions(-) > > -- > 2.33.0.rc2.250.ged5fa647cd-goog >
On 21/09/21 08:27, David Stevens wrote: > Is there any feedback on these patches? CVE-2021-22543 was fixed by > disallowing mapping of non-refcounted memory. These patches add proper > support for mapping that type of memory. Sorry, I was busy the past few weeks and I'm now back to KVM work. Paolo
On 25/08/21 04:50, David Stevens wrote: > From: David Stevens <stevensd@chromium.org> > > This patch series adds support for mapping non-refcount VM_IO and > VM_PFNMAP memory into the guest. > > Currently, the gfn_to_pfn functions require being able to pin the target > pfn, so they will fail if the pfn returned by follow_pte isn't a > ref-counted page. However, the KVM secondary MMUs do not require that > the pfn be pinned, since they are integrated with the mmu notifier API. > This series adds a new set of gfn_to_pfn_page functions which parallel > the gfn_to_pfn functions but do not pin the pfn. The new functions > return the page from gup if it was present, so callers can use it and > call put_page when done. > > The gfn_to_pfn functions should be depreciated, since as they are unsafe > due to relying on trying to obtain a struct page from a pfn returned by > follow_pte. I added new functions instead of simply adding another > optional parameter to the existing functions to make it easier to track > down users of the deprecated functions. > > This series updates x86 and arm64 secondary MMUs to the new API. > > v2 -> v3: > - rebase on kvm next branch Hi David, this needs a rebase. I have pushed my current queue, but note that parts of it are still untested. A bigger question here is the gfn_to_pfn caches and how to properly invalidate them. However your patch doesn't make things worse (only a bit inconsistent because pointing certain MSRs to a VM_PFNMAP|VM_IO page can fail). Paolo > v1 -> v2: > - Introduce new gfn_to_pfn_page functions instead of modifying the > behavior of existing gfn_to_pfn functions, to make the change less > invasive. > - Drop changes to mmu_audit.c > - Include Nicholas Piggin's patch to avoid corrupting refcount in the > follow_pte case, and use it in depreciated gfn_to_pfn functions. > - Rebase on kvm/next > > David Stevens (4): > KVM: mmu: introduce new gfn_to_pfn_page functions > KVM: x86/mmu: use gfn_to_pfn_page > KVM: arm64/mmu: use gfn_to_pfn_page > KVM: mmu: remove over-aggressive warnings > > arch/arm64/kvm/mmu.c | 26 +++-- > arch/x86/kvm/mmu/mmu.c | 50 +++++---- > arch/x86/kvm/mmu/mmu_internal.h | 3 +- > arch/x86/kvm/mmu/paging_tmpl.h | 23 ++-- > arch/x86/kvm/mmu/tdp_mmu.c | 6 +- > arch/x86/kvm/mmu/tdp_mmu.h | 4 +- > arch/x86/kvm/x86.c | 6 +- > include/linux/kvm_host.h | 17 +++ > virt/kvm/kvm_main.c | 188 +++++++++++++++++++++++--------- > 9 files changed, 220 insertions(+), 103 deletions(-) >
From: David Stevens <stevensd@chromium.org> This patch series adds support for mapping non-refcount VM_IO and VM_PFNMAP memory into the guest. Currently, the gfn_to_pfn functions require being able to pin the target pfn, so they will fail if the pfn returned by follow_pte isn't a ref-counted page. However, the KVM secondary MMUs do not require that the pfn be pinned, since they are integrated with the mmu notifier API. This series adds a new set of gfn_to_pfn_page functions which parallel the gfn_to_pfn functions but do not pin the pfn. The new functions return the page from gup if it was present, so callers can use it and call put_page when done. The gfn_to_pfn functions should be depreciated, since as they are unsafe due to relying on trying to obtain a struct page from a pfn returned by follow_pte. I added new functions instead of simply adding another optional parameter to the existing functions to make it easier to track down users of the deprecated functions. This series updates x86 and arm64 secondary MMUs to the new API. v2 -> v3: - rebase on kvm next branch v1 -> v2: - Introduce new gfn_to_pfn_page functions instead of modifying the behavior of existing gfn_to_pfn functions, to make the change less invasive. - Drop changes to mmu_audit.c - Include Nicholas Piggin's patch to avoid corrupting refcount in the follow_pte case, and use it in depreciated gfn_to_pfn functions. - Rebase on kvm/next David Stevens (4): KVM: mmu: introduce new gfn_to_pfn_page functions KVM: x86/mmu: use gfn_to_pfn_page KVM: arm64/mmu: use gfn_to_pfn_page KVM: mmu: remove over-aggressive warnings arch/arm64/kvm/mmu.c | 26 +++-- arch/x86/kvm/mmu/mmu.c | 50 +++++---- arch/x86/kvm/mmu/mmu_internal.h | 3 +- arch/x86/kvm/mmu/paging_tmpl.h | 23 ++-- arch/x86/kvm/mmu/tdp_mmu.c | 6 +- arch/x86/kvm/mmu/tdp_mmu.h | 4 +- arch/x86/kvm/x86.c | 6 +- include/linux/kvm_host.h | 17 +++ virt/kvm/kvm_main.c | 188 +++++++++++++++++++++++--------- 9 files changed, 220 insertions(+), 103 deletions(-)